Received: by 2002:a05:7412:419a:b0:f3:1519:9f41 with SMTP id i26csp3858926rdh; Tue, 28 Nov 2023 05:57:08 -0800 (PST) X-Google-Smtp-Source: AGHT+IHZ7cqtg2+Efj0QoprLsUEneOCKDG1kBpu9nX/ECoyf1f0s+KB8EuheXn/n1sP9vz6XEWin X-Received: by 2002:a05:6a00:a22:b0:6cb:d24c:4a9f with SMTP id p34-20020a056a000a2200b006cbd24c4a9fmr22320356pfh.29.1701179827814; Tue, 28 Nov 2023 05:57:07 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1701179827; cv=none; d=google.com; s=arc-20160816; b=ovXhr6UKQVF+7lsFo/KLdqB4FDtzV/fB0r68z5BgvUhdkNamq0uXKkVhWX7pJovLJU uTcA9bB05FFbRwrLbK0cqBDkn0YSkxS9zc2L0Cr6HfgEpSZREGRnWZd9XLGrDAaGakxZ kafzkWOF1YVFBF3/+ftEFmnj69v8fmZ4jWl4KMVq8V/U1KR6DQQit73/oAiz5VJmCP3X z6ZR92N4EssyWBtMSaFwtdyKb5rhq+bBHgr77AryOF7IAWo2U/yyDv42M23zkHHaF1xT yADymn5Kxujb6/zeiorTfGeirqri8Pqy9dS4l9gYI1dXIew+zXuhBgpmXSMjw1IZx2zg AsXw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:subject :from:references:cc:to:content-language:user-agent:mime-version:date :message-id:dkim-signature; bh=ZFYZHTJpTfNTFDcDtZQiwaWkmj8ktWrNt42/yYfXDRg=; fh=Lbk/yCqC4vAABi8SFbvZbBXbFZ9l5eNfMFOs3DaYbcg=; b=MY11gWWVR+mRw0ICHzaVqixEjBCyyQ7Tu9aXQkwmnTU2MowNaL1kmMNwCuVKR8OOEc FfUoK1dTW7iGTtxn0iY47CQ4oUryM75gIh8OQ1f2WOs4Rfh0oeuWCtZpmltAgdd1X60b ilYI6KWsihCri21knlckg+0RhdRTKY5EbEY6ket2KhwciBzoFYV86mFh+IHQLLCsE6DU lqBnfxuyNoNQFnQZAQAr0h2fqD8T44oxr/gnHaEH0950Cw8Rn61O1c+/LxI9MYHSWXYh kyECfwXtuvI1Uy7S40A+oDqKjVq7aSgUEMBuTBxhwiGR2JQ41PgrIDtlrJ+5NkJ2Aq9O hLBQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=IbbUREWs; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:1 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from morse.vger.email (morse.vger.email. [2620:137:e000::3:1]) by mx.google.com with ESMTPS id b129-20020a636787000000b005be1ee5bea2si12127792pgc.374.2023.11.28.05.57.07 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 28 Nov 2023 05:57:07 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:1 as permitted sender) client-ip=2620:137:e000::3:1; Authentication-Results: mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=IbbUREWs; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:1 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by morse.vger.email (Postfix) with ESMTP id 05DBE8074E07; Tue, 28 Nov 2023 05:56:47 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.11 at morse.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344892AbjK1N4b (ORCPT + 99 others); Tue, 28 Nov 2023 08:56:31 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43376 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1344924AbjK1N4a (ORCPT ); Tue, 28 Nov 2023 08:56:30 -0500 Received: from mgamail.intel.com (mgamail.intel.com [192.55.52.43]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D87D6E4; Tue, 28 Nov 2023 05:56:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1701179796; x=1732715796; h=message-id:date:mime-version:to:cc:references:from: subject:in-reply-to:content-transfer-encoding; bh=eKZ+oHzdq5IQfs4rf63+PspJWcdVwCcylQSqi2BI0ZU=; b=IbbUREWs5B0ZVr5HJXHTkTy7xqRR3vljPBah0jG3aMMkm9aM7O2mIkpH c1Zp8x2EBwyd/EOzGTGhJRa+v5CK6+E2BwuifSbyvJ7XEKxO3e/1pih2F 18sk9dhOaFCWjA2+x1XjBV8RIpXQ823Ud9lyZDTVJrkeuUt0fHH632Y3X xtTfeddk+13k/QH5e5C/K75bZlRdpbHP/IM4k1kBhqxgTBX1MH/1JzsPB 0P1ybvVkR/QKbKq8VIZg7HSiS4CDsbBWwWyy1Pm6WtjwWACXHe1FRMgjb gb+APc9gfZ7Oy/c7UZcP1KGMVAxGYB0w18RiSOEceSRMeoApeVIAev9CU Q==; X-IronPort-AV: E=McAfee;i="6600,9927,10907"; a="479124872" X-IronPort-AV: E=Sophos;i="6.04,234,1695711600"; d="scan'208";a="479124872" Received: from orsmga008.jf.intel.com ([10.7.209.65]) by fmsmga105.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 28 Nov 2023 05:56:36 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10907"; a="797596580" X-IronPort-AV: E=Sophos;i="6.04,234,1695711600"; d="scan'208";a="797596580" Received: from mattu-haswell.fi.intel.com (HELO [10.237.72.199]) ([10.237.72.199]) by orsmga008.jf.intel.com with ESMTP; 28 Nov 2023 05:56:34 -0800 Message-ID: <51b8fc3d-25ef-1ab3-d744-8d851a133828@linux.intel.com> Date: Tue, 28 Nov 2023 15:57:51 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Thunderbird/102.13.0 Content-Language: en-US To: Kuen-Han Tsai Cc: mathias.nyman@intel.com, gregkh@linuxfoundation.org, linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, alan Stern References: <20231117072131.2886406-1-khtsai@google.com> From: Mathias Nyman Subject: Re: [PATCH] xhci: fix null pointer deref for xhci_urb_enqueue In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.1 required=5.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, NICE_REPLY_A,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on morse.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (morse.vger.email [0.0.0.0]); Tue, 28 Nov 2023 05:56:47 -0800 (PST) On 20.11.2023 17.33, Mathias Nyman wrote: > On 18.11.2023 12.19, Kuen-Han Tsai wrote: >> Hi Mathias >> >>>>        if (usb_endpoint_xfer_isoc(&urb->ep->desc)) >>>> @@ -1552,8 +1561,10 @@ static int xhci_urb_enqueue(struct usb_hcd *hcd, struct urb *urb, gfp_t mem_flag >>>>                num_tds = 1; >>>> >>>>        urb_priv = kzalloc(struct_size(urb_priv, td, num_tds), mem_flags); >>> kzalloc with spinlock held, should preferably be moved outside lock, otherwise should use GFP_ATOMIC >> >> Thanks for pointing this out. I realize this patch is incorrect and it >> is non-ideal to include many codes unrelated to xhci->devs[slot_id] >> within the lock. >> >>> xhci_check_maxpacket() called here can't be called with spinlock held >> >> It appears that xhci_check_maxpacket() might potentially lead to a >> deadlock later if a spinlock is held. Is this the concern you were >> referring to? If not, please let me know if there are any other >> potential issues that I may have missed, thanks! > > xhci_check_maxpacket() will allocate memory, wait for completion, and use the same lock, > so there are several issues here. > > I actually think we shouldn't call xhci_check_maxpacket() at all while queuing urbs. > > usb core knows when there was max packet size mismatch during enumeration. > I think we should add a hook to the hcd that usb core can call in these cases I moved the max packet checks away from xhci_urb_enqueue() and fixed up the locking. I can't trigger the original issue, but I tested it by setting incorrect initial max packet size values. If you have the chance to test this with your setup I'd appreciate it. patches found here: git://git.kernel.org/pub/scm/linux/kernel/git/mnyman/xhci.git fix_urb_enqueue_locking https://git.kernel.org/pub/scm/linux/kernel/git/mnyman/xhci.git/log/?h=fix_urb_enqueue_locking I'll add them to this thread as well thanks Mathias